15 WinRT APIs Windows Runtime (WinRT API) is the backbone of the new Metro-style apps (also known as Immersive) in the Windows 8 operating system. It provides a set of API that can be called from.net languages (C#, VB.NET, F#), C++, and HTML / JavaScript. Apps created for WinRT are Safe Secure Sandboxed

16

17

18 AppContainer What is an application sandbox? A sandbox is a mechanism to isolate untrusted processes. Protecting system from exploit attack. All metro style apps run in AppContainer. What does a sandbox contain? Isolated process which runs with very limited rights Broker, a process which could execute specific actions for a isolated process An IPC mechanism to allow isolated processes to communicate with broker

19 Picture Source:

20 We agree all of these designs really provide a secure execution environment for Metro style apps. source:

22 Previous Works on Sandbox Bypassing Exploit kernel or privilege escalation vulnerabilities to escape sandbox. File system: looking for accessible folders/files and registries, especially some writable locations on the disk. And to see what we can do or what we can get from these places. Sending message or keyboard events to outside of sandbox, it might trigger some privilege actions. Leverage special handles: some available handles might be used to communicate with other process or resources.

63 MSRC: Such undesirable activities are highly detectable by either users or the AV industry, and once reported to Microsoft, we have the ability to remove the offending app from all user machines, thus protecting Windows 8 users.

69 MSRC: (ClickOnce) ClickOnce problem will be fixed in next Windows 8 release. (DLL Hijacking) We would consider this type of exploit a vulnerability in the desktop applications rather than a vulnerability in the metro app or the platform. We continue to address DLL hijacking bugs in security updates as detailed in our security advisory for Insecure Library loading.

70

71 Demo

72 FilePicker PickerHost.exe (the broker process) The broker process Medium permission When user need to save / read files from some specific folder which is not specified in capability settings. Even you didn t grant file system access to App, the App still can use SavePickFile/PickFolder to let user choice folders they want to access, such as save a file in user-specified folders. After user clicking OK, the app can have full control of the folder with broker permission.

73 7/28/ Confidential Copyright 2012 Trend Micro Inc.

74 MSRC: This is a deliberate feature, and fully under the user s control. Users should not click ok to the File picker dialog if they do not want the app to have access to that folder tree. We consider this under the user s control and as such do not view it as a threat..

75 Conclusion Introduced Security design of AppContainer The methodology of Metro style app vulnerability discovery The issues we have discovered. Security v.s. convenience, a never solved problem? Do users really know what will happen after clicking OK?

Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military

Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner

Windows Phone 8 Security Overview This white paper is part of a series of technical papers designed to help IT professionals evaluate Windows Phone 8 and understand how it can play a role in their organizations.

Introduction At the Build conference in September 2011, Microsoft provided details about their next operating system release, code name Windows 8. Leading up to this conference there has been a fair amount

Sandbox Roulette: Are you ready for the gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? In computer security terminology, a sandbox is an environment designed

BUILDING SECURITY IN Analyzing Mobile Single Sign-On Implementations Analyzing Mobile Single Sign-On Implementations 1 Introduction Single sign-on, (SSO) is a common requirement for business-to-employee

QualysGuard WAS Getting Started Guide Version 4.1 April 24, 2015 Copyright 2011-2015 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.

Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice

Securing ios Applications Dr. Bruce Sams, OPTIMAbit GmbH About Me President of OPTIMAbit GmbH Responsible for > 200 Pentests per Year Ca 50 ios Pentests and code reviews in the last two years. Overview

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: The most dangerous threat is the one which do not have a CVE. Until now developing reliable exploits

FREQUENTLY ASKED QUESTIONS Secure Bytes, October 2011 This document is confidential and for the use of a Secure Bytes client only. The information contained herein is the property of Secure Bytes and may

Release Notes for Websense Email Security v7.2 Websense Email Security version 7.2 is a feature release that includes support for Windows Server 2008 as well as support for Microsoft SQL Server 2008. Version

SECURITY IN CONTEXT LATERAL MOVEMENT: How Do Threat Actors Move Deeper Into Your Network? LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is

Configuring and Monitoring Virtual Server 2005 eg Enterprise v5.6 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this

QualysGuard WAS Getting Started Guide Version 3.3 March 21, 2014 Copyright 2011-2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.

TrendLabs When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher Advanced persistent threats (APTs) refer to a category

We have you by the gadgets Hitting your OS below the belt Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY represent the view of our employers. whoami - Toby whoami - Mickey Agenda Who we are

Virtualization System Vulnerability Discovery Framework Speaker: Qinghao Tang Title:360 Marvel Team Leader 1 360 Marvel Team Established in May 2015, the first professional could computing and virtualization

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD. Your Valuable Data In The Cloud? How To Get The Best Protection! A world safe for exchanging digital information

E-Guide Top virtualization security risks and how to prevent them There are multiple attack avenues in virtual environments, but this tip highlights the most common threats that are likely to be experienced

INSTANT MESSAGING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

Persistence Persistence Mechanisms as Indicators of Compromise An automated technology for identifying cyber attacks designed to survive indefinitely the reboot process on PCs White Paper Date: October

Ivan Medvedev Principal Security Development Lead Microsoft Corporation Session Objectives and Takeaways Session Objective(s): Give an overview of the Security Development Lifecycle Discuss the externally

The case statement for why Software Vendors should support Microsoft App-V Tim Mangan TMurgent Technologies, LLP March, 2016 Purpose With Microsoft at long last adding the App-V client to the base operating

Securing your Virtual Datacenter Part 1: Preventing, Mitigating Privilege Escalation Before We Start... Today's discussion is by no means an exhaustive discussion of the security implications of virtualization

Non-ThinManager Components Microsoft Terminal Servers play an important role in the ThinManager system. It is recommended that you become familiar with the documentation provided by Microsoft about their

Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?

Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the